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Abstract:  The  paper  describes  a  logical  notation  for  reasoning  about  digital  circuits, 
me  Tormalism  provides  a  rigorous  and  natural  basis  for  device  specification  as  well 
as  for  proving  properties  such  as  correctness  of  implementation.  Conceptual  levels  of 
circuit  operation  ranging  from  detailed  quantitative  timing  and  signal  propagation  up 
to  functional  behavior  are  integrated  in  a  unified  way.  A  temporal  predicate  calculus 
serves  as  the  forma'l  core  of  the  notation,  resulting  in  a  versatile  tool  that  has  more 
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§1  Introduction 

Computer  systems  continue  to  grow  in  complexity  and  the  distinctions  between 
.hardware  and  software  keep  on  blurring.  Out  of  this  has  come  an  increasing 
awareness  of  the  need  for  behavioral  models  suited  for  specifying  and  reasoning 
about  both  digital  devices  and  programs.  Contemporary  hardware  description 
languages  (for  example  [1,15,19])  are  not  sufficient  because  of  various  conceptual 

limitations: 

•  Most  such  tools  are  intended  much  more  for  simulation  than  for  math¬ 
ematically  sound  reasoning  about  digital  systems.  Many  compromises 
are  made  so  that  the  descriptions  can  be  executed. 

•  Difficulties  arise  in  developing  circuit  specifications  that  out  of  necessity 
must  refer  to  different  levels  of  behavioral  abstraction. 

•  What  formal  tools  there  are  for  such  languages  cannot  in  general  deal 
with  the  inherent  parallelism  and  nondeterminism  of  circuits. 

The  formalism  presented  in  this  paper  overcomes  these  problems  and  unifies 
in  a  single  notation  digital  circuit  behavior  that  is  generally  described  by  means  of 
the  following  techniques: 

•  Register  transfer  operations 

•  Flowgraphs  and  transition  tables 

•  Tables  of  functions 

•  Timing  diagrams 

•  Schematics  and  block  diagrams 

The  notation  is  based  on  discrete  time  intervals  and  combines  aspects  of  stan¬ 
dard  temporal  logics  [12,17]  with  features  of  dynamic  logic  [7].  Halpern  et  al. 
[6]  shows  that  useful  subsets  of  the  logic  are  decidable  and  of  relatively  reason¬ 
able  computational  complexity.  This  indicates  that  partial  automation  of  reason¬ 
ing  may  be  practical.  The  formalism’s  applicability  is  by  no  means  limited  to 
the  goals  of  computer- assisted  verification  and  synthesis  of  circuits.  This  type  of 
notation,  with  appropriate  “syntactic  sugar,”  could  provide  a  fundamental  and 
rigorous  basis  for  communicating,  reasoning  or  teaching  about  digital  concepts  and 
devices.  Simulation-based  languages  could  for  example  use  such  a  logic  as  a  vehicle 
for  describing  the  intended  semantics  of  delays  and  other  features.  Thus,  serpi- 
automated  correctness  checking  is  really  only  one  part  of  a  much  bigger  picture. 
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Before  outlining  the  formalism,  the  paper  discusses  related  work.  The  temporal 
logic  is  then  informally  introduced  by  way  of  sample  properties.  Following  this,  the 
formalism  serves  as  a  basis  for  specifying  and  reasoning  about  various  aspects  of  a 
simple  delay  element  as  well  as  of  a  hardware  multiplication  circuit.  Quantitative 
timing  as  well  as  algorithm  development  are  discussed. 

§2  Related  Work 

Gordon’s  work  [4]  on  register-transfer  systems  uses  a  denotational  semantics  to 
provide  a  concise  means  for  reasoning  about  clocking,  feedback,  instruction-set  im¬ 
plementation  and  bus  communication.  No  quantitative  timing  properties  are  con¬ 
sidered  and  the  notation  has  some  difficulties  in  describing  operations  occurring  over 
multiple  cycles.  Wagner  [20]  presents  a  semi- automated  proof  development  system 
for  reasoning  about  signal  transitions  and  register  transfer  behavior.  Unfortunately 
the  notation  suffers  from  a  lack  of  formality  that  is  difficult  to  remedy.  Malachi  and 
Owicki  [11]  utilize  a  temporal  logic  to  model  self-timed  digital  systems  by  giving 
a  set  of  axioms.  No  indication  is  included  on  how  to  generalize  the  work  to  the 
entire  domain  of  digital  circuits.  The  work  of  Bochmann  [2]  describes  and  verifies 
properties  of  an  arbiter,  a  device  for  regulating  access  to  shared  resources.  The 
presentation,  by  means  of  a  temporal  logic,  reveals  some  tricky  aspects  in  reasoning 
about  such  components  although  the  concepts  used  are  not  as  rigorously  developed 
as  they  may  appear  to  be  and  do  not  easily  generalize.  As  in  the  previous  works, 
no  quantitative  timing  issues  are  examined. 

Leinwand  and  Lamdan  [9]  use  a  type  of  Boolean  algebra  to  model  signal  tran¬ 
sitions.  Applications  include  systems  with  feedback  and  critical  timing  constraints. 
The  use  of  the  notation  for  non-trivial  examples  is  very  unintuitive.  Patterson  [16] 
explores  the  verification  of  firmware.  This  work  views  the  problem  from  the  sequen¬ 
tial  programming  standpoint  without  describing  the  underlying  digital  circuitry  and 
related  issues  of  concurrency  and  timing.  There  is  also  work  by  Meinen  [13]  on 
register  transfer  behavior  and  McWilliams  [10]  on  worst-case  time  constraints. 

Eveking  [3]  uses  predicate  calculus  with  an  explicit  time  variable  to  explore 
verification  in  the  Conlan  language.  Although  such  an  approach  can  in  principle 
describe  circuits,  the  proliferation  of  variables  representing  explicit  time  points 
becomes  a  major  hindrance  from  a  practical  as  well  as  theoretical  standpoint.  Many 
high-level  temporal  concepts  become  easily  obscured  amid  all  the  notation. 

A  number  of  people  have  used  temporal  logics  to  describe  computer  communica¬ 
tion  protocols  [5,8,18].  However,  the  precise  connections  between  protocols  and 
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the  underlying  hardware  and  software  are  still  rather  unclear  as  are  the  relative 
advantages  of  the  different  techniques  employed. 

§3  Notational  Preliminaries 

Before  the  logic  is  introduced,  it  is  necessary  to  say  a  little  about  the  kinds  of 
mathematical  entities  used  here  for  modelling  digital  signals. 


Data  Values 

Values  are  limited  to  natural  numbers,  ±  (read  “bottom”),  and  finite-length 
vectors  constructed  using  these  elements.  Both  0  and  1  as  well  as  ±  serve  as  bits, 
with  0  standing  for  low  voltage,  1  for  high  voltage  and  ±  representing  voltages  that 
are  out  of  range.  Finite-length  vectors  can  be  formed  containing  natural  numbers 
and  JL.  The  following  are  sample  values: 

0,  3,  X,  (0),  (1,2),  0. 


Bit  Operations 

Four  basic  operations  defined  on  bits  are  complement  (©),  and  (©),  or  (©)  and 
exclusive- or  (©).  The  symbols  0,  ©  and  ©  are  used  instead  of  a  and  v  in  order 
to  distinguish  notationally  between  bit  expressions  and  formulas  in  the  underlying 
predicate  calculus.  Here  are  corresponding  truth  tables  extended  to  include  J_: 


© 

© 

0 

1 

© 

0 

1 

± 

© 

0 

1 

X 

0 

1 

0 

0 

0 

0 

0 

0 

1 

± 

0 

0 

1 

X 

1 

0 

1 

0 

1 

1 

1 

1 

1 

1 

1 

0 

X 

± 

± 

_L 

0 

± 

J- 

± 

± 

1 

J_ 

X 

X 

X 

§4  Informal  Overview  of  Temporal  Operators 

The  temporal  logic  provides  a  basis  for  describing  periods  of  time  such  as 
in  timing  diagrams.  Concepts  such  as  signal  response  and  oscillation  are  readily 
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expressible.  Examples  serve  to  introduce  the  various  operators  used  later  in  this 
paper.  This  presentation  has  been  kept  rather  informal  although  the  entire  logic  is 
explored  in  detail  in  Halpern  et  al.  [6]  and  Moszkowski  [14]. 

Time  is  modeled  as  being  (discrete  and  finite.  The  following  figure  is  a  typical 
timing  diagram: 


0  10  20  30  40  so  units 

This  represents  the  behavior  of  the  signals  X,  Y  and  Z  over  a  period  of  50  units 
of  time.  The  signal  X  goes  up  and  down  twice,  while  Y  is  stable  with  the  value  1. 
Initially  Z  equals  0  for  over  20  units,  after  which  it  equals  -L.  Notice  that  all  times 
are  relative.  This  approach  is  used  because  the  properties  to  be  examined  depend 
solely  on  distances  between  points,  independent  of  any  absolute  times. 

The  group  of  signals  can  be  modeled  as  a  finite  temporal  interval  c  mapping 
variables  and  times  to  values.  The  behavior  of  intervals  is  concisely  expressible  by 
temporal  formulas  presented  below.  Given  such  a  formula  p,  the  construct  a  ¥  p 
means  p  is  true  for  the  interval  c.  The  notation  t=  p  signifies  that  the  formula  p 
is  true  of  all  intervals.  Please  keep  in  mind  that  all  operators  discussed  can  be 
expressed  in  terms  of  a  small  collection  of  fundamental  notions.  The  properties 
shown  are  deducible  from  a  basic  set  of  logical  rules. 

4.1  Initial  and  Terminal  Equality 

The  formula  beg(JC  —  T)  is  true  for  an  interval  a  if  within  a  the  two  signals 
X  and  Y  have  equal  starting  values.  Similarly,  the  construct  fin[X  =  Y)  is  true 
for  an  interval  c  if  X  and  Y  end  up  equal  in  cr. 

Examples  for  a  given  interval  a: 

Concept  Formula 

X  and  Y  start  equal  and  end  complements  a  M  [beg{X  =  Y)  a  fin[X  —  ©X)] 

X  ends  equal  to  1  and  Y  ends  equal  to  0  ah  fin{X  =  1  a  X  =  0) 


Properties  that  are  true  for  all  intervals: 

N  -^finiX^Y)  =  fin{-^{X  =  Y)) 

The  signals  X  and  Y  do  not  end  equal  if  and  only  if  they  end  up  not  equal. 

N  /in((x©r)  =  i)  3  /in(x  =  i  A  y  =  i) 

If  the  bit-and  of  X  and  Y  ends  up  equaling  1,  both  X  and  Y  end  up  equal  to  1. 

4.2  Temporal  Equality 

Two  signals  X  and  Y  are  temporally  equal  in  an  interval  a  if  they  have  the 
same  values  at  all  times.  This  is  written  X  :^Y  and  differs  from  the  constructs  for 
initial  and  terminal  equality,  which  only -examine  signals’  values  at  the  extremes  of 
the  interval. 

Examples: 


Concept 

The  signal  X  is  0  throughout  the  interval 
The  bit-and  of  X  and  Y  everywhere  equals  0 
X  agrees  everywhere  with  the  complement  of  Y 


Formula 

O'  ^  0 

<7N(x®y)«o 

oi^Xf^^OY 


Properties: 


N  X  «  y  => /(X) « /(y) 

If  two  signals  are  temporally  equal,  then  any  function  applied  to  one  of  them 
temporally  equals  .the  same  function  applied  to  the  other. 

1=  X  0  3  X  ®y  0 

If  X  temporally  equals  0,  then  the  bit-and  of  it  with  another  signal  also  equals  0 
everywhere. 

1=  (x,y)«(o,i)  =  [x«^o  A  y 

The  pair  (X,  y)  temporally  equals  (0, 1)  exactly  if  the  signal  X  temporally  equals 
0  and  y  temporally  equals  1. 
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4.3  Temporal  Stability 

A  signal  JC  is  stable  if  it  has  a  constant,  defined  value.  The  notation  used  is 
stbX.  In  the  case  of  a  bit  signal,  this  means  that  the  signal  is  airways  0  or  always 
1,  that  is 

StbX  =  [Xp^O  V  1] 

Example:  (this  and  further  examples  will  omit  the  symbols  “a  n”) 

Concept  Formula 

The  complement  of  X  is  stable  stb  0  X 


Properties: 

[X  1]  =  [stbX  A  beg{X  =  1)] 

The  signal  X  always  equals  1  if  and  only  if  X  is  stable  and  initially  equals  1. 

1=  StbX  =  stbQX 

A  bit  signal  is  stable  if  and  only  if  its  complement  is. 

^  [st6X  A  stbY]  ^  stb{X  ®Y) 

If  two  bit  signals  are  stable,  then  so  is  their  bit-or.  The  converse  is  not  always  true. 

stb{X,Y)  =  [stbX  A  StbY] 

A  pair  is  stable  exactly  if  the  two  individual  signals  are. 

4.4  Temporal  Length 

Quantitative  timing  properties  are  handled  by  a  special  object  len  whose  value 
for  any  interval  a  equals  the  length  of  cr. 

Examples: 

Concept  Formula 

The  interval  is  at  least  m  units  in  length  len  >  m 

The  signal  X  is  stable  -and  a  measures  at  least  m  units  stb  X  a  len  >  m 


The  predicate  empty  is  true  exactly  if  the  interval  has  length  0.  The  predicate 
skip  is  true  if  the  interval  has  length  exactly  1.  Since  time  is  discrete,  this  is  the 
minimum  nonzero  width. 
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4.5  Examining  Subintervals 


For  a  formula  p  and  interval  a,  the  construct  Bp  is  true  if  p  is  true  in  all 
subintervals  of  time  contained  within  a  including  a  itself.  Note  that  the  “a”  in  B 
simply  stands  for  “all”  and  is  not  a  variable.  The  formula  p  is  true  if  the  formula 
p  itself  is  true  in  at  least  one  subinterval  of  a. 


Examples: 


Concept 

In  some  subinterval  of  length  >  m  +  n,  X  is  stable 
In  all  subintervals  <  m  units,  X  is  stable 


Formula 

<^([Zen  >  m  +  n]  a  stbX) 
B([/en  <  m]  ^  stbX) 


Properties: 

^  Bp  3  p  . 

If  a  formula  p  is  true  in  all  subintervaJs  then  it  is  true  in  the  primary  interval. 

<S>  p  =  B  “•p 

A  formula  is  true  in  some  subinterval  if  and  only  if  the  formula  is  not  everywhere 
false. 

N  B(p  A  g)  =  [Bp  A  B?] 

The  logical-and  of  two  formulas  p  and  q  is  true  in  every  subinterval  if  and  only  if 
both  formulas  are  true  everywhere. 

1=  ^  p  =  ^  ^  p 

A  formula  is  somewhere  true  exactly  if  there  is  some  subinterval  in  which  the  formula 
is  somewhere  true. 

1=  [Bp  A  ^g]  ^  ^(p  A  g) 

If  p  is  true  in  all  subintervals  and  g  is  true  in  some  subinterval  then  both  are 
simultaneously  true  in  at  least  one. 

1=  [X  «  y]  =  B(X  =  Y) 

Two  signals  are  temporally  equal  in  an  interval  exactly  if  they  are  equal  in  every 
subinterval. 

N  X  ^  B  stb  X 

If  X  is  stable  in  the  overall  interval,  X  is  also  stable  in  every  subinterval. 
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4.6  Initial  Subintervals 


The  operators  Q  and  ^  are  similar  to  Q  and  ^  but  only  look  at  initial 
subintervals  starting  at  time  0. 


Example: 


Concept 

X  is  initially  stable  for  at  least  the  first  m  units 


•  Formula 
<$^[stbX  A  len  >  m) 


4.7  Temporal  Dependence 


It  is  useful  to  specify  that  a  signal  X  remains  stable  as  long  as  another  signal 
Y  does.  X  is  said  to  depend  on  Y,  written  X  dep  Y.  This  can  be  expressed  using 
the  temporal  formula 

X  dep  Y  ^  m{stb  Y  3  stb  X) 


Examples: 


Concept 

X  and  Y  remain  stable  while  Z  does 
X  remains  stable  as  long  as  the  pair  (1^ ,  Z)  does 


Formula 
{X,Y)  dep  Z 
X  dep  {Y,  Z) 


Properties: 

1=  [X  dep  Y  A  stbY]  3  stbX 
If  X  depends  on  Y  and  Y  is  stable,  then  so  is  X. 

[X  depY  A  Y  dep  Z]  ^  X  dep  Z 
Dependence  is  transitive. 

1=  beg(X  =  0)  3  (XQY)depX 
If  X  initially  equals  0,  then  the  bit- and  of  X  and  Y  depends  on  X. 

[XdepZ  A  Y  dep  Z]  =  {X,Y)  dep  Z 
The  variables  X  and  Y  depend  on  Z  exactly  if  the  pair  {X,Y)  does. 
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4.8  Adjacent  Subintervals 


Given  a  time  interval,  the  formula  p;  q  is  true  if  there  is  at  least  one  way  to 
divide  the  interval  into  two  adjacent  subintervals  a  and  or'  such  that  the  formula  p 
is  true  in  the  first  one,  a,  and  the  formula  q  is  true  in  the  second,  In  particular, 
a  rising  signal  can  be  described  by  the  predicate  \X: 

=  [(X  «  0);  skip]  (X  1)] 

This  says  that  X  is  0  for  a  while  and  then  jumps  to  1.  The  gap  of  quantum  length 
represented  by  the  test  skip  is  necessary  here  since  a  signal  cannot  be  0  and  1  at 
exactly  the  same  instant.  Falling  signals  are  analogously  described  by  the  construct 
iX: 

IX  =  [(X  1);  skip]  (X  O)] 

Examples: 

Concept 

X  is  stable  and  Y  goes  up 
The  bit-or  of  X  and  Y  falls 
In  every  subinterval  where  X  rises,  Y  falls 
X  goes  up  and  then  back  down 

Properties: 

^  (TX  A  ti")  =>  [t(x@y)  A  t(^©y)] 

If  two  bit  signals  rise,  so  do  their  bit- and  and  bit-or. 

1=  iX  = 

A  bit  signal  falls  exactly  if  its  complement  rises. 

t=  [tX  A  6e(7(y=0)  A  {YdepX)]  d  t(X®y) 

If  X  rises  and  in  addition  Y  initially  equals  0  and  depends  on  X,  then  the  bit-or  of 
X  and  Y  also  rises. 

These  operators  can  be  extended  to  include  quantitative  information  specifying 
minimum  periods  of  stability  before  and  after  the  transitions.  For  example,  timing 
details  can  be  added  to  the  operator 

-j-m.nx  =  0  A  len  >  m);  skip]  (X  1  a  len  >  n)] 


Formula 
sthX  A  ^Y 

i(x®y) 

□(TX  D  iX) 
tX;iX 


10 


A.  n6ga.tiv6  pulss  with  qua-ntitative  informatioii  ca&  b6  dcscribsd  as  shown 
below: 

lll.m.njg-  = 

[(X  «  1  A  len-  >  1);  skip; 

{X  ^0  A  len>  m);  skip;  {X  ^  1  a  len  >  n)] 


4.9  Temporal  Assignment . 

The  formula  X  -»■  T  is  true  for  an  interval  if  X’s  initial  value  equals  Y's  final 
value. 

Example: 

Concept 

Z  ends  up  with  the  complement  of  T’s  initial  value 


Formula 

QY-^Z 


Properties: 

N  stbX  3  (X-^X) 

A  stable  signal’s  initial  and  final  values  agree. 

N  [(X  Y);{Y  -^Z)]  ^  [X-^Z] 

If  Y  gets  A  ’s  value  and  then  Z  gets  T’s,  the  net  result  is  that  Z  gets  X’s  initial 
value. 

N  (0X->r)  =  (X^GT) 

The  bit  signal  Y  gets  the  complement  of  X’s  value  exactly  if  X’s  complement  gets 
the  value  of  X  itself. 

»=  [{QZ Z);{QZ Z)]  ^  {Z  ^  Z) 

If  a  signal  is  twice  complemented,  it  ends  up  with  its  original  value. 


4.10  Repetition 

An  interval  can  be  broken  up  into  an  arbitrary  number  of  successive  subin¬ 
tervals,  each  satisfying  some  formula  p.  The  construct  has  the  same  meaning 
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p;  •  •  •  ;p 


n  times 

For  the  case  of  n  =  0,  an  interval  c  satisfies  the  operator  exactly  if  a’s  length  is  0. 


Examples:  . 


Concept 

The  signal  Y  twice  goes  up  and  down 
Z  is  complemented  n  times 


Formula 

(1Y;  lY]^ 
{QZ-^Z)" 


Properties: 

N  (QX-^  Xf  =>  [X©(nmod2)-4X] 

After  a  series  of  n  complements,  X  ends  up  with  the  initial  value  of  the  exclusive- or 
of  X  and  (nmod2).  For  instance,  if  n  is  even,  X  ends  up  unchanged. 

1=  (p"*)”  =  p”*" 

If  a  formula  p  is  repeated  m  times  within  a  further  repetition  of  n  cycles,  the  net 
result  is  the  same  as  iterating  p  a  total  of  mn  times. 

§5  Simple  Delay  Element 

Delay  is  of  fundamental  importance  in  digital  systems.  One  of  the  simplest 
types  of  delay  elements  has  the  following  structure: 

Out 
n-unit  delay 

Here  In  is  the  input  bit  signal  and  Out  is  the  associated  output.  The  variable 
n  is  a  fixed  natural  number  indicating  the  time  delay  between  a  value  appearing 
on  the  input  and  later  on  the  output.  The  following  statement  uses  intervals  to 
characterize  this  behavior: 

In  every  subinterval  of  length  exactly  n  units,  the  initial  input  value 
agrees  with  the  final  output  one. 
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The  next  predicate  Delay  captures  the  required  interaction; 

Delay{.In,  Out,n)  =def  [i][(/en  =  n)  ^  [In  — »•  Out)] 

Properties: 

•  A  delay  element  is  also  a  delay  element  in  every  subinterval: 

t=  Delay[In,  Out,n)  ^  Delay  [In,  Out,  n) 

•  Zero  delay  is  the  same  as  temporal  equality: 

N  Delay[In,  Out,  0)  =  [In  ^  Out) 

•  Two  connected  delays  result  in  a  combined  delay: 

1=  iDelay[Inl,  Outl,  nl)  a  Delay[In2,  Out2,n2)  a  Outl  In2) 

Delay[Inl,  Out2,  nl  +  n2) 

Note  that  the  total  delay  nl  +  n2  is  the  sum  of  the  delays  nl  and  n2. 

An  alternative  delay  model  can  be  given  containing  an  internal  state  of  n  +  1 
bits  that  are  shifted  as  in  a  queue.  The  two  distinct  models  are  formally  equivalent 
as  can  be  expressed  and  demonstrated  with  the  temporal  logic. 

The  object  len  is  used  in  the  definition  of  Delay  to  measure  time.  Actually, 
other  metrics  seem  possible.  For  example,  some  variable  might  represent  the  number 
of  clock  cycles  or  machine  instructions  executed  in  each  interval.  The  properties  of 
delay  remain  basically  the  same. 

§6  Multiplication  Circuit 

The  hardware  multiplier  considered  here  is  motivated  by  one  discussed  in 
Wagner’s  work  on  hardware  verification  [20].  The  desired  device  behavior  is  first 
described  followed  by  a  look  at  implementation  techniques.  The  multiplier  has  the 
following  general  structure: 
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=^0«<[Oto2n  —  l] 


/nJ|Oton  —  1]=^ 

/n2  [0  to  n  —  1]=^ 

a-*- 

Ld-^ 

n,  count', 
cl,c2,c3 

The  circuit  accepts  two  numbers  and  after  a  given  number  of  clock  cycles  yields 
the  product.  The  numbers  are  represented  as  unsigned  n-bit  vectors  Inland  In2 
while  the  output  Out  is  a  2n-bit  one.  In  addition  to  the  vector  inputs  and  output, 
there  are  two  input  bits  Ck  and  Ld  which  control  operation.  The  signal  Ck  serves 
as  the  clock  input  and  Ld  initiates  the  loading  of  the  vectors  to  be  multiplied.  The 
field  count  tells  how  many  clock  cycles  are  required.  The  values  cl ,  c2  and  c3  are 
timing  coefficients  used  in  the  behavioral  description. 

6.1  Additional  Notation 

Because  the  multiplier  deals  with  numbers  and  their  representation  as  bit 
vectors,  it  is  convenient  to  introduce  some  extra  notation  before  giving  the  device’s 
formal  description: 

•  Subscripts  on  a  vector  V  =  (vq,  . . . ,  v„)  normally  range  from  0  on  the  left  to  n  on 
the  right.  The  construct  Vlf]  follows  this  style.  However,  to  simplify  reasoning 
about  the  correspondence  between  a  bit  vector  and  its  numerical  equivalent,  a 
slightly  different  convention  is  adapted.  The  alternative  notation  V^{?}  indexes  V 
from  the  right  with  the  right-most  element  having  subscript  0.  For  example: 

(1, 0,  X){01  =  J..  (1,0,X>{1)  =  0,  (l,0,X)j2}  =  l 

T  T  t 


For  a  vector  V  and  i  >  j,  the  expression  forms  a  new  vector  out  of  the 

elements  indexed  from  i  down  to  j.  If  i  <  j,  the  empty  vector  is  returned.  For 
example, 

(0, 9,  ±,  2){3  to  1}  =  (0,  9,  ±),  (0, 1){0  to  0}  =  (1),  (±,  1, 0, 1){1  to  2}  =  () 

•  The  predicate  def  X  is  true  for  a  scalar  value  X  if  X  docs  not  equal  ±.  In  thjs 
case,  X  is  defined.  A  vector  is  defined  exactly  if  all  its  components  are.  For 


/ 
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example,  the  following  values  are  defined: 

0,  3,  (1,0),  0 

The  values  given  below  are  not  defined: 

i,  (X,X),  (x.o) 


•  The  function  rival  converts  a  bit  vector  to  its  unsigned  numeric  value.  For 

GXS/Ulplc  j 

nval{{0, 1, 1))  =  3,  nval{{l,  1, 0, 0))  =  12 
If  any  element  of  the  vector  is  undefined,  rwal  yields  -L  as  the  result.  Thus, 

nval{{l,  -L,  0, 0, 1))  =  -L 


6.2  Overview  of  Description  Techniques 

In  what  follows,  the  predicate  Multiplier specifies  that  desired  behavior  of  a 
multiplication  circuit.  The  device’s  various  inputs,  outputs  and  timing  coefficients 
are  represented  as  fields  of  the  single  parameter  M .  An  iterative,  timing-independent 
multiplication  algorithm  is  then  presented  which  computes  a  product  by  a  series 
of  successive  additions.  Later,  the  predicate  Implementation^H)  characterizes  a 
device  which  computes  sums  and  in  fact  has  the  algorithm’s  steps  embedded  within 
it.  A  logical  implication  is  then  given,  showing  how  Implementation[H)  realizes 
Multiplier  {M). 

6.3  Formal  Specification  of  Multiplication  Circuit 

The  predicate  Multiplier  formally  characterizes  the  circuit’s  desired  structure 
and  behavior.  The  single  parameter  M  is  a  tuple  representing  the  multiplier.  For 
example,  the  expression  M.Cfc  equals  the  clock  input.  The  predicate’s  definition 
makes  reference  to  other  predicates  given  later: 

Multiplier  [M)  =def 

MultStructure{M) 

A  0  Calculate[M) 

The  predicate  MultStructure  presents  M’s  fields.  The  predicate  Calculate  gives  the 
control  sequencing  required  to  perform  a  multiplication.  The  operator  0  indicates 
that  Calculate  must  be  true  in  all  subintervals. 
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Definition  of  MultStructurex 

The  definition  below  of  MultStructure  contains  information  on  the  physical 
structure  of  the  multiplier.  Variables  starting  in  upper  case  represent  signals  while 
lower-case  ones  are  constant.  Labels  such  as  Inputsi  are  comments  included  to 
classify  the  various  circuit  fields.  For  example,  M.Inl  is  an  input  bit  vector. 

MultStructure{M)  =def 
Inputs: 

{Ck,Ld):Bit, 

Inl{n  —  1  to  0}:  Bit, 

In2{n  —  1  to  0}:  Bit 

Outputs: 

Out{2n  —  1  to  O}:  Bit 

Parameters: 

n:  nat, 
count:  nat, 
cl,  c2,  c3:  time 

For  brevity,  the  prefix  “M.”  is  omitted  when  a  field  is  referenced  below. 
Definition  of  Calculate: 

If  the  inputs  behave  as  specified  by  the  predicate  Control,  the  output  Out  ends 
up  with  the  product  of  the  initial  values  of  Ini  and  In2.  Recall  that  the  function 
nval  converts  a  bit  sequence  to  the  corresponding  numerical  value. 

Calculate{M)  =def 
Control{M)  ^ 

[nDo/(/nI)  •  nval{In2)^  —*■  nval[Out) 


Definition  of  Control: 

The  predicate  Control  describes  the  required  sequencing  of  the  inputs  so  that 
a  multiplication  takes  place.  The  computation  first  loads  the  circuit  and  then  keeps 
the  load  line  inactive  while  the  clock  is  cycled. 

Control{M)  =def  Load{M)\  {[Ld  «  0]  a  Cycling{M)) 
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Definition  of  Loadt 


Loading  is  done  as  indicated  by  the  predicate  Load.  The  clock  is  cycled  as 
given  by  the  predicate  Single  Cycle.  The  control  signal  Ld  starts  with  the  value  1 
and  jbogether  with  the  other  inputs  Ini  and  In2  remains  initially  stable  as  long  as 
the  clock  input  Ck  does. 

Load{M)  =def 

Single Cyclei^M^  a  beg{Ld  =  1)  a  {Ld,  Ini,  In2)  dep  Ck 


Definition  of  Single  Cycle: 

An  individual  clock  cycle  consists  of  a  negative  pulse: 

Single Cycle[M)  =def  Ck 

The  clock  signal  falls  from  1  to  0  and  then  rises  back  to  1.  The  three  times  given 
indicate  the  minimum  widths  of  the  levels  during  which  the  clock  is  stable. 

Definition  of  Cycling: 

The  overall  cycling  of  the  clock  is  as  follows: 

Cycling{M)  =def  {Single  Cycle{M)Y°‘^'^^ 

A  total  of  count  individual  cycles  must  be  performed  one  after  the  other,  where 
each  is  a  negative  pulse  satisfying  the  predicate  SingleCycle. 

Variants  of  the  Specification 

The  predicate  Multiplier  does  not  represent  the  only  way  to  describe  the  mul¬ 
tiplier  circuit.  Alternative  approaches  based  on  an  internal  state  can  be  shown  to 
be  formally  equivalent  to  the  one  given  here.  A  useful  extension  to  this  description 
specifies  that  once  the  output  is  computed,  it  remains  stable  as  long  as  the  control 
inputs  do.  If  desired,  additional  quantitative  timing  details  can  readily  be  included. 


6.4  Development  of  Multiplication  Algorithm 

The  specification  predicate  Multiplier  intentionally  makes  no  reference  to  any 
particular  technique  for  multiplying.  Since  the  process  of  multiplication  does  not 
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generally  depend  on  any  specific  circuit  timing,  it  is  natural  to  separate  algorithmic 
issues  from  other. implementation  details.  The  temporal  logic  now  serves  as  a  basis 
for  deriving  a  suitable  circuit-independent  algorithm  for  determining  the  product 
and  in  the  next  section  as  a  means  for  describing  hardware  that  realizes  this  method. 
The  synthesis  process  can  be  viewed  as  a  proof  in  reverse,  starting  with  the  goal 
and  ending  with  the  necessary  assumptions  to  achieve  it. 

The  aim  here  is  to  obtain  an  algorithm  describing  some  way  for  doing  the 
multiplication.  The  variables  n.  Ini,  In2  and  Out  are  represented  as  fields  of  a 
variable  A.  The  predicate  Goal  below  specifies  the  desired  result: 

Goal{A)  =def 

beg{def  Ini  a  def  In2)  ^ 

[nvo/(/nI)  •  nval{In2)^  nval[Out) 

If  the  data  inputs  Ini  and  In2  are  initially  defined,  the  output  Out  should  end  up 
with  their  product.  The  presentation  given  here  reduces  the  problem  of  multiplying 
the  two  n-bit  vectors  to  that  of  using  repeated  additions  to  determine  successively 
larger  partial  products.  The  algorithm  consists  of  initialization  followed  by  n 
successive  iterations.  After  i  iterations  of  the  loop,  for  i  <  n,  the  initial  product  of 
Ini  and  the  least  significant  i  bits  of  In2,  that  is, 

nval[Inl)  •  nval{In2{i  —  1  to 0}) 

is  computed  and  available  in  the  upper  n  4-  z  bits  of  Out.  Neither  Jril  nor  In2  is 
guaranteed  to  remain  stable  once  initialization  is  complete.  However,  their  initial 
values  must  be  used  throughout  the  calculation.  The  lower  n  —  i  bits  of  Out  hold 
the  unexamined  bits  of  In2  (i.e.,  In2{n  -  1  to  i]).  In  addition,  an  extra  n-bit  variable 
Temp  is  introduced  in  order  to  remember  the  original  value  of  Ini .  The  following 
figure  informally  depicts  the  situation  after  i  steps: 


partial  produ^ _ rest  of  In2 


Out: 

nvdl[Inl)  •  nval[In2[i  —  1  toO}) 

In2[n  —  1  to  z} 

2n-l 

n—i 

n— I  — 1  •  »  •  0 

n  +  i 

bits 

n  —  i  bits 

value  of  Ini 

Temp: 

Ini 

n— 1  .  .  •  0 

V - 

n  bits 


After  n  steps.  Out  equals  the  desired  ^n-bit  multiplication  result. 
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The  predicate  Assert  below  precisely  specifies  this  behavior  over  i  iterations 
for  {  <  n.  Note  that  both  inputs  Ini  and  In2  must  be  initially  defined  for  the 
operations  to  properly  take  place. 

Assert{A,  t)  =def 

beg[def  Ini  a  def  In2)  3 

^nval(^Inl'j  •  nval(^In2\i  —  1  toO})]  — ►  nval{^0ut[2n  1  ton  t}) 
A  /n2|n  —  1  to  i}  — Out{n  —  z  —  1  to  0} 

A  Ini  —t  Temp 

After  n  steps,  the  product  must  be  computed.  For  i  —  n,  Assert  indeed 
observes  this  requirement: 

Assert{A,n)  Goal[A)  (*) 

Expressed  in  the  logic,  the  algorithm  takes  the  following  form: 

Init{A);  (5fep(A))” 

In  the  next  two  subsections,  the  predicates  Init  and  Step  are  given  in  detail.  Both 
Init  and  Step  are  derived  so  as  to  maintain  Assert  after  looping  i  times  for  any 
i  <  n: 

[z  <  n  A  Init{A)]{Step{A)y]  ^  Assert[A,i)  (**) 

The  properties  (*)  and  together  ensure  that  n  iterations  of  the  loop  calculate 
the  product: 

In{t{Ay,  {Step{A))^  3  Goal[A) 


Deriving  the  Predicate  Init 

The  initialization  requirement  can  be  obtained  by  making  sure  Init  satisfies 
Assert  for  z  =  0: 

Init{A)  P  Assert{A,0) 
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Simplification  of  AsseH  yields  the  constraint 
Init{A)  ^ 

beg[def  Ini  a  def  In2)  ^ 

0  — nval{Out{2n  —  1  ton}) 

A  In2  -+  Out{n  —  1  to  0} 

A  Ini  — ►  Temp 

This  can  be  achieved  by  the  definition 

Init{A)  =def 

beg{def  Ini  a  def  In2)  ^ 

(0, . . . ,  0)  -»■  Owi{2n  —  1  to  n} 
A  In2  Out\n  —  1  to  0} 

A  Ini  — *•  Temp 


Deriving  the  Predicate  Step 

The  iteration  step  should  be  constructed  so  that  after  i  iterations  for  any  i  <  n, 
Step  can  inductively  widen  the  scope  of  the  assertion  to  t  +  1  increments: 

[t  <  n  A  Assert{A,i)',  Step{A)]  ^  As$ert{A,i  +  1) 

Each  step  achieves  this  by  selectively  adding  Tempos  n  bits  to  Out,  depending  on 
Out’s  least  bit,  Out{0].  Only  the  top  n  bits  of  Out  are  actual  inputs  for  the  sum. 
The  top  n  +  1  bits  store  the  result.  The  remaining  n  —  1  bits  of  Out  are  simply 
shifted  right.  For  Temp  the  requirement  reduces  to  the  formula 

Step{A)  ^ 

beg{def  Temp)  =>  {Temp-*  Temp) 

This  guarantees  that  Temp  continues  to  remember  the  initial  value  of  Ini . 

The  constraint  for  Out  is 
Step{A)  ^ 

beg{def  Out  a  def  Temp)  ^ 

^nval{Out[2n  —  1  ton})  +  Ouf{0}  •  nval{Temp)) 

— >  nval{Out[2n  —  1  ton  —  1}) 

A  Out{n  —  1  to  1}  Out{n  —  2  to  0} 
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Thus  the  overall  incremental  step  can  be  realized  by  the  definition 

Step{A)  =def 

beg{def  Out  a  def  Temp)  ^ 

^nval[0ut[2n  —  1  ton})  +  Out{0\  •  nv.al[Temp)) 

—*■  nval[0ut[2n  —  1  to  n  —  1}) 

A  Out\n  —  1  to  1}  — >  Out[n  —  2  to  0} 

A  Temp  —*■  Temp 


6.5  Description  of  Implementation 


The  circuit  specified  below  performs  the  iterative  algorithm  just  given.  The 
definition  includes  relevant  timing  information  and  is  broken  down  into  parts  describ¬ 
ing  the  implementation’s  physical  structure  and  behavior.  The  primary  predicate 
Implementation  overviews  operation.  The  device’s  fields  are  shown  by  ImpStructure. 
The  predicate  LoadPhase  specifies  device  operation  for  initially  loading  the  inputs. 
Once  this  is  achieved,  the  predicate  MultPhase  indicates  how  to  perform  the  in¬ 
dividual  multiplication  steps. 

Implementation{H)  =def 
ImpStructure{H) 

A  \3i{LoadPhase{H)  a  MultPhase{H)) 


Definition  of  ImpStructure: 

The  structure  of  the  implementation  differs  from  that  of  the  original  specification 
by  the  addition  of  the  internal  state  Temp  for  maintaining  the  value  of  Ini  and  by 
the  omission  of  a  count  field  giving  the  required  number  of  clock  cycles  for  comput¬ 
ing  a  product. 
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ImpStructure[H)  =def 
Inputs: 

{Ck,Ld):Bit, 

Inl\n  —  1  toO}:  Bit, 
In2[n  —  1  to  0}:  Bit 

Outputs: 

Out{2n  —  1  to  0}:  Bit 
Internal: 

Temp{n  —  1  to  0}:  Bit 

Parameters: 

n:  nat, 

cl,  c2,  c3:  time 


Definition  of  LoadPhasa 

The  body  of  LoadPhase  specifies  how  to  load  the  inputs  as  described  in  the 
algorithm: 

LoadPhase[H)  =def 
Load{H)  3  Init{H] 

The  predicate  Load,  gives  the  required  loading  sequence  for  the  circuit  inputs.  The 
predicate  Init  refers  to  algorithm’s  initialization  predicate.  The  definition  of  Load 
is  identical  to  that  of  its  namesake  in  Multiplier: 

Load{H)  =def 

Single Cycle[H)  a  beg[Ld  —  1)  a  {Ld,  Inl,In2)  dep  Ck 
Individual  clock  cycles  are  also  defined  as  in  Multiplier: 

SingleCycle{H)  =def 


Definition  of  MultPhase: 

When  the  load  signal  is  inactive  at  0,  the  circuit  can  be  clocked  to  perform  a 
single  iteration.  The  algorithm’s  predicate  Step  takes  place  over  two  clock  cycles. 

MultPhase[H)  =def 

[Ld  0  A  {Single Cycle{H)y]  ^  Step{H) 
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Implementation  Theorem 

The  correspondence  between  the  implementation  Implementation  and  the  original 
multiplier  device  specification  Multiplier  is  now  given  by  the  theorem 

1=  Implementation[H)  ^  Multiplier [M') 

where  the  mapping  from  iJ’s  fields  to  Af’s  is 

M. field  H.field,  for  the  fields  Ini ,  In2  and  Out 


M.n  =  H.n 
M.  count  —  2H.n 
M.field  =  H.field,' 


for  the  fields  cl,  c2  and  c3 


The  value  of  M.count  corresponds  to  the  2n  clock  cycles  needed  for  doing  the 
iterative  computation. 


The  behavioral  description  Implementation  can  itself  be  realized  by  some  even 
lower-level  specification  containing  further  details  about  the  timing  and  using  a  still 
more  concrete  algorithm.  For  example,  the  iterative  steps  are  decomposible  into 
separate  adds  and  shifts.  K  desired,  the  development  ultimately  examines  such 
things  as  propagation  through  gates. 


§7  Conclusion  and  Future  Plans 

Compared  with  conventional  hardware  description  languages,  the  approach 
used  here  permits  direct  reasoning  about  signal,  device  and  algorithm  behavior 
at  various  levels  of  detail.  In  addition,  the  concepts  relating  specifications  with 
implementations  and  hardware  with  register- transfer  operations  can  be  rigorously 
expressed  within  a  single  mathematical  framework.  A  disadvantage  arises  from  the 
inability  to  directly  execute  arbitrary  descriptions. 

Standard  temporal  logics  and  other  such  notations  have  not  been  designed  to 
concisely  handle  the  kinds  of  quantitative  timing  properties  and  signal  transitions 
found  in  the  examples  considered.  The  intervals  of  time  provide  a  unifying  means 
for  presenting  various  features. 

The  material  presented  only  scratches  the  formalism’s  surface.  Halpern  et  al. 
[6]  and  Moszkowski  [14]  cover  many  details  of  the  logic,  describing  and  comparing 
devices  ranging  from  delay  elements  up  to  the  Am2901  ALU  bit  slice  developed  by 
Advanced  Micro  Devices,  Inc.  Future  work  will  examine  microprocessors,  buses  and 
protocols,  DMA,  firmware  and  instruction  sets,  as  well  as  the  combined  semantics 
of  hardware  and  software. 
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